California Consumer Privacy Act: GDPR Regulations Reach the United States

September 19, 2018

Shortly after the European Union's much-anticipated privacy law (known as the General Data Protection Regulation, or 'GDPR') went to effect, California Governor Jerry Brown signed into law the California Consumer Privacy Act of 2018 (CCPA). The law takes effect on January 1, 2020, and is expected to create one of the most significant and strict regulations around data collection and privacy practices in the United States.

The CCPA shares many similar features to the GDPR and has broad application. It will affect your organization if any of the following are true, even if your organization is not located in California:

You have over $25 million in annual revenues;

You buy, hold, sell, or share personal information of 50,000 or more California consumers, households, or devices; or

You derive at least 50% of your revenue from selling residents' personal information.

Under the CCPA, your organization's data collection practices will need to be carefully reviewed and your capability to respond to consumer data requests will need to be robust. Specifically, you will need to properly disclose what data you collect and sell and be able to properly delete it upon request (under certain conditions). It is likely that CCPA compliance will also need to be certified to your contractual partners if your company has contractual arrangements with larger companies, most typically in the form of supply agreements.

PenaltiesPenalties for non-compliance can be severe. For example, consumers may, under certain circumstances, have a private right of action against companies that violate the CCPA's data security requirements. The law also allows recovery of damages between $100 and $750 per consumer per incident, or actual damages, whichever is greater.

Next StepsIf your organization meets any one of the criteria mentioned above, we recommend that you launch a comprehensive data security and privacy assessment. The assessment would include, for example, a review of your privacy policy, information security policy, incident response plan, and insurance policy—all with an eye towards identifying potential gaps.

We Can HelpWhether through advising on an assessment process or refreshing your policies and procedures, our attorneys can help ensure your company takes the necessary steps to comply with the CCPA ahead of implementation on January 1, 2020.

Attend the 2018 Cyber Security Summit—Compliments of Maslon!As a sponsor of the 2018 Cyber Security Summit, Maslon has a limited number of complimentary passes available to the conference taking place October 22-24 at the Minneapolis Convention Center. If you are interested in attending, please RSVP, and we will confirm back if passes are still available.

HAVE QUESTIONS?

Please let us know if you have any questions regarding the information provided and how it may apply to your specific situation.